This content requires Adobe Flash Player version
or later.
Either you do not have Adobe Flash Player installed,
or your version is too old,
or there is a problem with your Flash installation and we were unable to detect it.

By Rita Bowen and Jan McDavid In mid-January, the Dept. of Health and Human Services

(HHS) released its long-awaited HIPAA omnibus rule, which signifi cantly amends the original HIPAA privacy, security and breach rules. Nowhere are the changes more impactful than in the relationship between covered entities (CEs) and business associates (BAs). BAs are now, for the fi rst time, directly liable for compliance

with certain requirements of the HIPAA rules, including the cost of remediation of breaches for which they are responsible. T e new rule went into eff ect March 26, 2013. Covered entities and BAs are expected to comply by September 23 of this year, so there is much work to do. T e following tip sheet includes a general overview of the

new HIPAA rule and provides suggestions on how to best communicate the changes to BAs to ensure a smooth path to compliance.

What’s new for BAs in the new HIPAA rule? • Security rule safeguards apply. • Privacy rule use and disclosure rules apply. • T ey can use protected health information only as stated in the business associate agreement.

• Penalties can now be assessed on BAs. • BAs are now responsible for having business associate agree- ments (BAAs) with their subcontractors, who will now be treated as BAs.

CEs must have BAAs with their BAs, and BAs must have BAAs with their subcontractors. Key components must include: • Start date, expiration date, review dates and signatures. • Terms and conditions of how to use or disclose private health information (PHI), data rights, security, etc.

Rita Bowen, SVP of HIM and privacy officer, HealthPort

Jan McDavid, compliance officer and general

counsel, HealthPort

• New language surrounding breach notifi cation and the securing of data.

• New disclosure-related requirements concerning EHRs. • Policies and procedures for retention and destruction of data and the recording and reporting of breaches.

Are you a healthcare business associate (BA) or subcon- tractor wondering about your compliance status regard- ing the new HIPAA Final Rule changes? Kroll Advisory Solutions has a program that can help. The “Business Associate HIPAA Self-Risk Assess- ment (BA HSRA)” is Kroll’s self-guided tool based on HIPAA provisions, security best practices and guidance from the National Institute of Standards and Technol- ogy (NIST). Developed in collaboration with Grant Peterson, J.D., chief compliance officer and founder

of HIPAA Analytics, the Kroll tool produces valuable performance measurements, remediation insight and forms for attestation of HIPAA compliance status. Users can identify vulnerabilities within their admin- istrative, physical and technical security safeguards and pinpoint privacy aspects where improvement is needed. The assessment is delivered via Kroll’s secure client portal. A competitively priced program allows for one year of unlimited access. Learn more at www.krolladvisory.com.